This procedure is for configuring Cisco Anyconnect VPN on CentOS7 gnome desktop.
I also have a similar page for installing Cisco Anyconnect VPN on a CentoOS "Server GUI" with KDE Desktop (different base install option). You might want to look at that guide too. It is simpler than this one. Everything is done with YUM commands - no wget's. It might also work on the GNOME desktop as well you can try it out instead of the below procedure.
This procedure was done on a brand-new install of CentOS7 on a Lenovo ThinkPad P70 laptop. This install of CentOS7 desktop was a straight-out-of-the box install with no tweaks at all wherein I selected the GNOME desktop option (not the Plasma!) and I selected a bunch of development tools and libraries as well, but everything was selected from the default installer menu, there were no hacks or tweaks. It's a straightforward procedure not hard to do at all. However, I could not find anywhere on the web where all the steps were gathered in one place. This should theoretically work for RedHat7 desktop and OracleLinux7 Desktop, but it is only tested on CentOS7 GNOME desktop. The setup of Cisco AnyConnect VPN is detailed below.
Basically, this webpage here was the starting point which got this successful Cisco AnyConnect VPN configuration rolling. The first step therefore is to install EPEL which more or less is a project of Fedora which provides a high-quality library of packages which are interoperable with CentOS7 and other similar Linuxes. I downloaded the EPEL rpm from here, but for convenience I have attached it to this post as well just in case that link is down for any reason. It's recommended to use the link instead of the copy attached to this post so that you get the latest EPEL from Fedora Genuine. Now install EPEL as shown below. Note that as dependencies EPEL will also install the packages VPNC and VPNC-SCRIPT. That's a good thing those are also needed for Cisco Anyconnect so no worries.
[root@localhost Downloads]# rpm -Uvh epel-release-7-8.noarch.rpm
warning: epel-release-7-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:epel-release-7-8 ################################# [100%]
[root@localhost Downloads]# yum install vpnc
Loaded plugins: fastestmirror, langpacks
epel/x86_64/metalink | 14 kB 00:00:00
epel | 4.3 kB 00:00:00
(1/3): epel/x86_64/group_gz | 170 kB 00:00:00
(2/3): epel/x86_64/updateinfo | 594 kB 00:00:00
(3/3): epel/x86_64/primary_db | 4.3 MB 00:00:00
Loading mirror speeds from cached hostfile
* base: mirror.beyondhosting.net
* epel: muug.ca
* extras: mirrors.liquidweb.com
* updates: mirror.stjschools.org
Resolving Dependencies
--> Running transaction check
---> Package vpnc.x86_64 0:0.5.3-22.svn457.el7 will be installed
--> Processing Dependency: vpnc-script for package: vpnc-0.5.3-22.svn457.el7.x86_64
--> Running transaction check
---> Package vpnc-script.noarch 0:0.5.3-22.svn457.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================
Installing:
vpnc x86_64 0.5.3-22.svn457.el7 epel 85 k
Installing for dependencies:
vpnc-script noarch 0.5.3-22.svn457.el7 epel 14 k
Transaction Summary
===================================================================================================================================================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 99 k
Installed size: 210 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/vpnc-0.5.3-22.svn457.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for vpnc-0.5.3-22.svn457.el7.x86_64.rpm is not installed
(1/2): vpnc-0.5.3-22.svn457.el7.x86_64.rpm | 85 kB 00:00:00
(2/2): vpnc-script-0.5.3-22.svn457.el7.noarch.rpm | 14 kB 00:00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 261 kB/s | 99 kB 00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-8.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : vpnc-script-0.5.3-22.svn457.el7.noarch 1/2
warning: /etc/vpnc/vpnc-script created as /etc/vpnc/vpnc-script.rpmnew
Installing : vpnc-0.5.3-22.svn457.el7.x86_64 2/2
Verifying : vpnc-script-0.5.3-22.svn457.el7.noarch 1/2
Verifying : vpnc-0.5.3-22.svn457.el7.x86_64 2/2
Installed:
vpnc.x86_64 0:0.5.3-22.svn457.el7
Dependency Installed:
vpnc-script.noarch 0:0.5.3-22.svn457.el7
Complete!
[root@localhost Downloads]#
I got the CentOS7 OpenConnect RPM from Springdale but there should be several places where it can be obtained. This one I will also attach to this blog post so that the exact RPM that I used is available. I did this configuration between midnight and 3AM this morning, so now in the afternoon I'm retracing my footsteps while it's still fresh to get this guide created. However, I believe you can also get this same RPM from elders.princeton.edu. So that's three places to get it - Springdale, Princeton, and here at this blog attached at the bottom of this page. But you can't install it yet because unless you have previously done so, there are some libraries that will be needed to satisfy dependencies for the OpenConnect RPM. Just so that you see what the issue is, below is an example of what you get when trying to install the OpenConnect RPM without the required libraries. In a subsequent step below, those libraries will be easily obtained and then OpenConnect installed perfectly.
[root@localhost Downloads]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm
warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEY
error: Failed dependencies:
liblz4.so.1()(64bit) is needed by openconnect-7.06-1.sdl7.x86_64
libstoken.so.1()(64bit) is needed by openconnect-7.06-1.sdl7.x86_64
libstoken.so.1(STOKEN_1.0)(64bit) is needed by openconnect-7.06-1.sdl7.x86_64
[root@localhost Downloads]#
Install lz4 Library
It's easy as shown below to get the lz4 library. Just run the following command simply using yum to install the library as shown below.
[root@localhost Downloads]# yum install lz4
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.beyondhosting.net
* epel: mirror.steadfast.net
* extras: mirrors.liquidweb.com
* updates: mirror.stjschools.org
Resolving Dependencies
--> Running transaction check
---> Package lz4.x86_64 0:r131-1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================
Installing:
lz4 x86_64 r131-1.el7 epel 70 k
Transaction Summary
===================================================================================================================================================================================================================
Install 1 Package
Total download size: 70 k
Installed size: 220 k
Is this ok [y/d/N]: y
Downloading packages:
lz4-r131-1.el7.x86_64.rpm | 70 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : lz4-r131-1.el7.x86_64 1/1
Verifying : lz4-r131-1.el7.x86_64 1/1
Installed:
lz4.x86_64 0:r131-1.el7
Complete!
Install libstoken Library
The libstoken library is also needed so install it simply using yum again as shown below.
[root@localhost Downloads]# yum install stoken-libs
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.beyondhosting.net
* epel: ca.mirror.babylon.network
* extras: mirrors.liquidweb.com
* updates: mirror.stjschools.org
Resolving Dependencies
--> Running transaction check
---> Package stoken-libs.x86_64 0:0.6-1.el7 will be installed
--> Processing Dependency: libtomcrypt.so.0()(64bit) for package: stoken-libs-0.6-1.el7.x86_64
--> Running transaction check
---> Package libtomcrypt.x86_64 0:1.17-23.el7 will be installed
--> Processing Dependency: libtommath >= 0.42.0 for package: libtomcrypt-1.17-23.el7.x86_64
--> Processing Dependency: libtommath.so.0()(64bit) for package: libtomcrypt-1.17-23.el7.x86_64
--> Running transaction check
---> Package libtommath.x86_64 0:0.42.0-4.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================
Installing:
stoken-libs x86_64 0.6-1.el7 epel 36 k
Installing for dependencies:
libtomcrypt x86_64 1.17-23.el7 epel 224 k
libtommath x86_64 0.42.0-4.el7 epel 35 k
Transaction Summary
===================================================================================================================================================================================================================
Install 1 Package (+2 Dependent packages)
Total download size: 296 k
Installed size: 707 k
Is this ok [y/d/N]: y
Downloading packages:
(1/3): libtomcrypt-1.17-23.el7.x86_64.rpm | 224 kB 00:00:00
(2/3): libtommath-0.42.0-4.el7.x86_64.rpm | 35 kB 00:00:00
(3/3): stoken-libs-0.6-1.el7.x86_64.rpm | 36 kB 00:00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 368 kB/s | 296 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libtommath-0.42.0-4.el7.x86_64 1/3
Installing : libtomcrypt-1.17-23.el7.x86_64 2/3
Installing : stoken-libs-0.6-1.el7.x86_64 3/3
Verifying : libtommath-0.42.0-4.el7.x86_64 1/3
Verifying : libtomcrypt-1.17-23.el7.x86_64 2/3
Verifying : stoken-libs-0.6-1.el7.x86_64 3/3
Installed:
stoken-libs.x86_64 0:0.6-1.el7
Dependency Installed:
libtomcrypt.x86_64 0:1.17-23.el7 libtommath.x86_64 0:0.42.0-4.el7
Complete!
Install vpnc-script
This section was added a few days later. If you get a dependency error about "vpnc-script" then you will have to install that too. Seems I may have overlooked that vpnc-script is a dependency or may have installed it earlier when I first worked this out (at 3AM or so) and discovered this while installing openconnect on another server.
Use yum to install vpnc-script as shown below if the install of openconnect complains about vpnc-script dependency. I've included the output that shows openconnect install failing due to the missing vpnc-script dependency for completeness.
[root@centos-72d ~]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm
warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEY
error: Failed dependencies:
vpnc-script is needed by openconnect-7.06-1.sdl7.x86_64
[root@centos-72d ~]# yum install vpnc-script
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.eboundhost.com
* epel: ftp.osuosl.org
* extras: mirror.umd.edu
* updates: mirror.tzulo.com
Resolving Dependencies
--> Running transaction check
---> Package vpnc-script.noarch 0:0.5.3-22.svn457.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================================
Installing:
vpnc-script noarch 0.5.3-22.svn457.el7 epel 14 k
Transaction Summary
=============================================================================================================================================================================
Install 1 Package
Total download size: 14 k
Installed size: 19 k
Is this ok [y/d/N]: y
Downloading packages:
vpnc-script-0.5.3-22.svn457.el7.noarch.rpm | 14 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : vpnc-script-0.5.3-22.svn457.el7.noarch 1/1
Verifying : vpnc-script-0.5.3-22.svn457.el7.noarch 1/1
Installed:
vpnc-script.noarch 0:0.5.3-22.svn457.el7
Complete!
[root@centos-72d ~]#
Install OpenConnect
Now the OpenConnect RPM can be installed successfully as shown below.
[root@localhost Downloads]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm
warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:openconnect-7.06-1.sdl7 ################################# [100%]
[root@localhost Downloads]# rpm -qa | egrep 'openconnect|vpnc'
openconnect-7.06-1.sdl7.x86_64
vpnc-script-0.5.3-22.svn457.el7.noarch
vpnc-0.5.3-22.svn457.el7.x86_64
[root@localhost Downloads]#
This AnyConnect client has no GUI so it is just run from a terminal as root as shown below. Name of the vpn server used for this example and other private information has been redacted in the example connection shown below. When you get the "Established blah blah blah connection..." it means that the VPN is connected and ssh to servers and other resources such as websites on the VPN is now available. Be sure to leave that terminal window open for the duration of the VPN session. Closing that window terminates the VPN session.
[oracle@localhost Downloads]$ su - root
Password:
Last login: Sat Aug 13 19:57:21 EDT 2016 on pts/0
[root@localhost ~]# openconnect https://vpn.xxxxxxxxxxxx.com
POST https://vpn.xxxxxxxxxxxx.com/
Attempting to connect to server xx.xx.xxx.x:443
SSL negotiation with vpn.xxxxxxxxxxxx.com
Server certificate verify failed: signer not found <-- Means the VPN certificate for this VPN unsigned np...just answer yes below and continue...
Certificate from VPN server "vpn.xxxxxxxxxxxx.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn.xxxxxxxxxxxx.com
XML POST enabled
Please enter your username and password.
GROUP: [datacenter|dmz|poc-mgmt|poc1|poc2|poc3|poc5|selfservice]:datacenter
POST https://vpn.xxxxxxxxxxxx.com/
XML POST enabled
Please enter your username and password.
Username:xxxxxxx
Password:
POST https://vpn.xxxxxxxxxxxx.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as xx.xx.xxx.xx, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
The /etc/resolv.conf file may get updated with DNS servers for the VPN as shown below. This overwrite blanks out my local nameserver for my laptop network so I need to add back in my local nameserver in the correct position (first) as shown below. Note IP addresses of actual nameservers are redacted. The /etc/resolv.conf says in its header that VPNC generated it so there may be some way to configure VPNC to add-in that extra local nameserver somehow and at some point I need to return and solve that issue so that it's not necessary to add the nameserver manually every time the VPN is connected. The added nameserver must be added in the first position.
[root@stlns01 data]# cat /etc/resolv.conf
#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact
# Generated by NetworkManager
search robinsystems.com. robinsystems.com
nameserver 10.207.39.1 <-- This nameserver has been added back in manually with vi after VPN started
nameserver 10.7.10.21
nameserver 10.7.10.12
[root@stlns01 data]#
Please send me an email at gilstanden@hotmail.com if you find any errors or omissions in this procedure or to share your observations with it such as improvements or simplifications.